omniauth-workos 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: ca6792ae900fd8ff62ec50165bf0dad3925b4a8bf399d45bdd000b42154ee779
+  data.tar.gz: 8f59e1223bd81407fcd02980a16879d769b69d911ee7ca52d54131906528f10f
+SHA512:
+  metadata.gz: 39ac12ad8a083de04e6eb3765484fee4f5504e542de39bf97f2058aad0e95c1e89f5200f6526a3ef6d01e18c0705c8ac8dbc6581d06c8629a3c198171edad9e9
+  data.tar.gz: 4db30484b097f977fa668d04b21463d294541ab509c068750365261368c4ea845f971908f2bffeb75bb6d60cdf2b4adf72980bed5e222e86c37bb2f63e505bf1

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [Unreleased]
+
+## [1.0.0] - 2022-02-21
+
+- Initial release

data/Gemfile

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+gemspec
+
+gem "rake"
+
+group :development do
+  gem "debug"
+  gem "retest"
+end
+
+group :test do
+  gem "rack-test", "~> 1.1"
+  gem "rspec", "~> 3.11"
+  gem "sinatra", "~> 2.2"
+  gem "timecop", "~> 0.9"
+  gem "webmock", "~> 3.14"
+end

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2022 Joao Fernandes
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,131 @@
+# OmniAuth WorkOS Strategy
+
+An OmniAuth strategy for authenticating with [WorkOS](https://workos.com). This strategy is based on the [OmniAuth OAuth2 strategy](https://github.com/omniauth/omniauth-oauth2).
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'omniauth-workos'
+```
+
+If you're using this strategy with Rails, also add the following for CSRF protection:
+
+```ruby
+gem 'omniauth-rails_csrf_protection'
+```
+
+And then execute:
+
+    $ bundle install
+
+## Usage
+
+To start processing authentication requests, the following steps must be performed:
+
+1. Initialize the strategy
+2. Configure the callback controller
+3. Add the required routes
+4. Trigger an authentication request
+
+### Authentication hash
+
+The WorkOS strategy will provide the standard OmniAuth hash attributes:
+
+- `:provider` - the name of the strategy, in this case `workos`
+- `:uid` - the user identifier
+- `:info` - the user's profile ([can be filtered](#filter-info-fields))
+- `:credentials` - token requested and data
+
+```ruby
+{
+  :provider => "workos",
+  :uid => "prof_01DMC79VCBZ0NY2099737PSVF1",
+  :info => {
+    :connection_id => "conn_01E4ZCR3C56J083X43JQXF3JK5",
+    :organization_id => "org_01EHWNCE74X7JSDV0X3SZ3KJNY",
+    :connection_type => "okta",
+    :email => "todd@foo-corp.com",
+    :name => "Todd Rundgren",
+    :first_name => "Todd",
+    :idp_id => "00u1a0ufowBJlzPlk357",
+    :last_name => "Rundgren",
+    :object => "profile",
+    :raw_attributes" => {...}
+  },
+  :credentials => {
+    :token => "ACCESS_TOKEN",
+    :expires_at => 1485373937,
+    :expires => true
+  }
+}
+```
+
+#### Filter info fields
+
+To filter the fields in the `info` object, you can specify them when you register the provider:
+
+```ruby
+provider
+  :workos,
+  ENV['WORKOS_CLIENT_ID'],
+  ENV['WORKOS_CLIENT_SECRET'],
+  ENV['WORKOS_DOMAIN'],
+  {
+    info_fields: %w[email first_name]
+  }
+```
+
+Possible values are:
+- `"all"` (default) - don't filter, that is, include all fields
+- `%w[...]` (an array of **strings**) - the fields to include
+
+Note: field `"name"` will always be included.
+
+### Query parameter options
+
+In some scenarios, you may need to pass specific query parameters to `/sso/authorize`. The following parameters are available to enable this:
+
+- `connection`
+- `organization`
+- `provider`
+- `login_hint`
+
+Refer to the [documentation](https://workos.com/docs/reference/sso/authorize/get#authorize-get-endpoint) to see when and how to use them.
+
+Simply pass these query parameters to your OmniAuth redirect endpoint to enable their behavior.
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/jcmfernandes/omniauth-workos.
+
+## License
+
+Released under the MIT License. See [{file:LICENSE}](LICENSE).
+
+Copyright (c) 2022, João Fernandes
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: %i[spec]

data/lib/omniauth/strategies/workos.rb

@@ -0,0 +1,114 @@
+# frozen_string_literal: true
+
+require "omniauth-oauth2"
+
+module OmniAuth::Strategies
+  class WorkOS < OmniAuth::Strategies::OAuth2
+    class Error < StandardError; end
+
+    AUTHORIZE_PARAMS_SESSION_KEY = "omniauth_workos_authorize_params"
+    private_constant :AUTHORIZE_PARAMS_SESSION_KEY
+
+    option :name, "workos"
+    option :client_options,
+           site: "https://api.workos.com",
+           authorize_url: "/sso/authorize",
+           token_url: "/sso/token"
+    option :authorize_options, %w[organization connection provider login_hint]
+    # info_fields:
+    # Either an **array** with the names of the fields as **strings**, or the
+    # the **string** "all" to return all available fields.
+    option :info_fields, "all"
+
+    uid do
+      raw_info.fetch("id")
+    end
+
+    info do
+      if options[:info_fields] == "all"
+        raw_info.clone.tap { |hash| hash.delete("id") }
+      else
+        {}.tap do |result|
+          options[:info_fields].each do |field|
+            field = field.to_s
+            result[field] = raw_info[field]
+          end
+        end
+      end
+    end
+
+    credentials do
+      {
+        "token" => access_token.token,
+        # As per the documentation, tokens expire in 10 minutes.
+        "expires" => true,
+        "expires_at" => Time.now.utc.to_i + (10 * 60)
+      }.tap do
+        authorize_params = session.delete(AUTHORIZE_PARAMS_SESSION_KEY) || {}
+
+        # Confirm that the user comes from the connection/organization requested
+        # during the authorize phase.
+        unless authorize_params.key?("connection") || authorize_params.key?("organization")
+          raise Error.new("invalid session; no connection nor organization")
+        end
+
+        if authorize_params.key?("connection") && authorize_params["connection"] != raw_info["connection_id"]
+          raise Error.new("the user's connection_id `#{raw_info["connection_id"]}` doesn't match what was requested `#{authorize_params["connection"]}`")
+        end
+
+        if authorize_params.key?("organization") && authorize_params["organization"] != raw_info["organization_id"]
+          raise Error.new("the user's organization_id `#{raw_info["organization_id"]}` doesn't match what was requested `#{authorize_params["organization"]}`")
+        end
+      end
+    end
+
+    def authorize_params
+      super.tap do |params|
+        options[:authorize_options].each do |key|
+          value = request.params[key]
+          next if blank?(value)
+
+          params[key] = value
+        end
+
+        # Store the authorize params in the session because we will need them
+        # during the callback phase to verify that the user comes from the
+        # requested connection/organization.
+        session[AUTHORIZE_PARAMS_SESSION_KEY] = params
+      end
+    end
+
+    def request_phase
+      if blank?(options.client_id)
+        fail!(:missing_client_id)
+      elsif blank?(options.client_secret)
+        fail!(:missing_client_secret)
+      else
+        super
+      end
+    end
+
+    def callback_phase
+      super
+    rescue Error => e
+      fail!(:connection_or_organization_mismatch, e)
+    end
+
+    private
+
+    def raw_info
+      @raw_info ||= access_token["profile"]
+    end
+
+    # https://github.com/omniauth/omniauth-oauth2/issues/93
+    def callback_url
+      full_host + script_name + callback_path
+    end
+
+    def blank?(obj)
+      obj.respond_to?(:empty?) ? obj.empty? : !obj
+    end
+  end
+end
+
+OmniAuth.config.add_camelization "workos", "WorkOS"

data/lib/omniauth-workos/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module WorkOS
+    VERSION = "1.0.0"
+  end
+end

data/lib/omniauth-workos.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require_relative "omniauth-workos/version"
+require_relative "omniauth/strategies/workos"

data/omniauth-workos.gemspec

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require_relative "lib/omniauth-workos/version"
+
+Gem::Specification.new do |spec|
+  spec.name = "omniauth-workos"
+  spec.version = OmniAuth::WorkOS::VERSION
+  spec.authors = ["João Fernandes"]
+  spec.email = ["joao.fernandes@ist.utl.pt"]
+
+  spec.summary = "OmniAuth OAuth2 strategy for the WorkOS platform"
+  spec.homepage = "https://github.com/jcmfernandes/omniauth-workos"
+  spec.license = "MIT"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      (f == __FILE__) || f.match(%r{\A(?:(?:bin|test|spec|features)/|\.(?:git|travis|circleci)|appveyor)})
+    end
+  end
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency 'omniauth', '~> 2.0'
+  spec.add_dependency 'omniauth-oauth2', '~> 1.7'
+end

metadata

@@ -0,0 +1,82 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-workos
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- João Fernandes
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2022-02-21 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: omniauth-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+description: 
+email:
+- joao.fernandes@ist.utl.pt
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".rspec"
+- CHANGELOG.md
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/omniauth-workos.rb
+- lib/omniauth-workos/version.rb
+- lib/omniauth/strategies/workos.rb
+- omniauth-workos.gemspec
+homepage: https://github.com/jcmfernandes/omniauth-workos
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/jcmfernandes/omniauth-workos
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.3
+signing_key: 
+specification_version: 4
+summary: OmniAuth OAuth2 strategy for the WorkOS platform
+test_files: []